Q65 — AWS DVA-C02 Ch.3
Question 65 of 100 | ← Chapter 3
A company uses AWS Lambda functions and Amazon S3 event notifications to process images uploaded to S3 buckets. The development team set up multiple environments in a single AWS account. After a recent production deployment, the team observed that uploads to the development S3 bucket triggered the production environment’s Lambda function. These invocations caused the production Lambda function to unintentionally process development S3 files. The team must prevent these unintended invocations and follow security best practices. Which solution meets these requirements?
- A. Update the production Lambda function’s execution role to add a policy allowing the role to read only from the production S3 bucket.
- B. Move the development and production environments to separate AWS accounts. Add resource-based policies to each Lambda function permitting invocation only from S3 buckets within the same account.
- C. Add a resource-based policy to the production Lambda function allowing invocation only from the production S3 bucket. ✓
- D. Move the development and production environments to separate AWS accounts. Update each function’s Lambda execution role to add a policy allowing the role to read from S3 buckets only within the same account.
Correct Answer: C. Add a resource-based policy to the production Lambda function allowing invocation only from the production S3 bucket.
Explanation
To prevent unintended invocations of the production Lambda function by the development S3 bucket, we must ensure the Lambda function is invoked only by expected S3 buckets. Option A restricts only the Lambda function’s read permissions but does not restrict which S3 buckets can trigger it. Option B isolates environments but permits any S3 bucket within the same account to invoke the Lambda function, which is insufficient. Option D similarly fails to restrict the invocation source. Option C adds a resource-based policy to the production Lambda function explicitly allowing invocation only from the production S3 bucket—directly addressing the issue and adhering to security best practices such as least privilege and environment isolation. Thus, C is the correct answer. 【Lantern Certification provided by: swufelp1999】